Consulting Group

Service Detail

Incident Response Planning

Pre-negotiated retainers, tabletop exercises, playbooks, and guaranteed response times — before the crisis hits.

The worst time to figure out your incident response plan is during an incident. Who calls whom? Who has authority to shut down systems? Who talks to the press? Who contacts your insurance carrier? Who preserves evidence for law enforcement? Organizations that answer these questions in advance recover faster, lose less data, spend less money, and face fewer legal consequences than those scrambling in the moment. Forged builds incident response programs that your team can execute under pressure — because they've already practiced it.

What's Covered

Scope of Assessment

Incident Response Playbooks

Step-by-step procedures for every major incident type — ransomware, data breach, BEC, insider threat, DDoS, and physical security. Written for execution under stress, not for reading in a meeting.

Tabletop Exercises

Facilitated walk-throughs of realistic scenarios with your leadership, IT, legal, and communications teams. Discover the gaps in your plan before a real incident discovers them for you.

IR Retainer & Rapid Response

Pre-negotiated incident response retainer with guaranteed response times. When something happens, you call one number and a qualified team is engaged immediately — no scoping calls, no SOW negotiations.

Legal & Regulatory Coordination

Pre-established relationships with breach counsel, notification procedures mapped to your regulatory obligations, and evidence preservation protocols that protect legal privilege.

Crisis Communications Planning

Pre-drafted communication templates for employees, customers, partners, media, and regulators. Approved messaging ready to deploy within hours of an incident, not days.

Post-Incident Review & Improvement

Structured after-action reviews that identify what worked, what failed, and what changes to the plan, the technology, or the organization need to happen. Lessons learned turned into documented improvements.

Our Process

How It Works

01

Current State Assessment

We evaluate your existing incident response capability — what plans exist, who's responsible, what tools are available, and what gaps would leave you exposed during a real incident.

Existing IR plan review — does it exist, when was it last updated, has it been tested
Team identification — who's on the IR team, do they know it, are they trained
Tool inventory — EDR, SIEM, backup, forensic tools, communication platforms
Vendor relationships — do you have breach counsel, forensics, PR on retainer
Insurance review — what does your cyber policy require and what does it cover

02

Playbook Development

Custom incident response playbooks built for your organization — your systems, your team structure, your regulatory obligations, and your risk profile. Not a template downloaded from the internet.

Ransomware playbook — detection, containment, eradication, recovery, and payment decision framework
Data breach playbook — scoping, notification triggers, evidence preservation, regulatory reporting
Business email compromise playbook — detection, financial recovery, account remediation
Insider threat playbook — investigation protocols, HR coordination, legal considerations
Severity classification matrix — how to categorize incidents and trigger the right response level

03

Tabletop Exercises & Training

We run your team through realistic scenarios — injecting complications, time pressure, and conflicting priorities just like a real incident. The goal is muscle memory, not perfection.

Executive tabletop — business decisions, communications, legal, and financial impacts
Technical tabletop — containment procedures, forensic investigation, system recovery
Combined exercise — full team response simulating a realistic multi-day incident
Individual role training — each team member clear on their specific responsibilities
After-action report with identified gaps and improvement recommendations

04

Retainer Activation & Ongoing Readiness

IR retainer established with guaranteed response times. Contact information verified quarterly. Playbooks updated as your environment changes. Annual tabletop exercises to maintain readiness.

Retainer agreement with defined SLA — 1-hour response for critical incidents
Secure communication channels established (not dependent on your compromised systems)
Quarterly contact verification — phone trees, escalation paths, after-hours numbers
Semi-annual playbook updates reflecting infrastructure and personnel changes
Annual tabletop exercise with new scenarios based on current threat landscape

Deliverables

What You Receive

Incident Response Plan

Master IR document defining team structure, roles, communication procedures, severity levels, and escalation criteria. The governing document for your entire incident response program.

Scenario-Specific Playbooks

Step-by-step procedures for ransomware, data breach, BEC, insider threat, DDoS, and other scenarios relevant to your risk profile. Each playbook includes decision trees, checklists, and contact information.

Communication Templates

Pre-approved message templates for employees, customers, partners, media, and regulators. Fill-in-the-blank format so communications can deploy in hours, not days, during an actual incident.

Tabletop Exercise Reports

Documentation of each exercise — scenario, participants, decisions made, gaps identified, and recommended improvements. Evidence for auditors and insurance carriers that your plan is tested.

IR Retainer Agreement

Pre-negotiated engagement terms with guaranteed response SLAs, pre-approved hourly rates, and defined scope of rapid response services. No SOW negotiation during a crisis.

Contact & Escalation Directory

Complete contact information for internal team, external counsel, forensic investigators, insurance carrier, law enforcement liaisons, and regulatory contacts. Updated quarterly.

Who It's For

Is This Right for You?

No Existing IR Plan

You don't have a documented incident response plan — or the one you have is a template nobody's read. We build a real plan, train your team, and establish the retainer before you need it.

Cyber Insurance Requirements

Your carrier requires a documented IR plan, an IR retainer, and evidence of tabletop exercises. We provide all three and give your carrier the attestation they need for policy issuance or renewal.

Compliance Mandates

SOC 2, HIPAA, PCI-DSS, and CMMC all require incident response capabilities. We build the plan, run the exercises, and produce the evidence your auditor needs to check the box.

Post-Breach Rebuilding

You were breached and your response was chaotic. We do the after-action review, identify what went wrong, build the plan that should have existed, and make sure the next incident goes differently.

Board & Leadership Mandate

Your board or executive team wants assurance that the organization can handle a cyber incident. Tabletop exercises with leadership build confidence and reveal gaps in a safe environment.

Customer & Partner Requirements

Enterprise customers and partners increasingly require evidence of IR capability as a condition of doing business. A documented plan with tested playbooks satisfies those requirements.

Common Questions

FAQ

What's a tabletop exercise and why does it matter?

A tabletop is a facilitated discussion where your team walks through a realistic incident scenario — making decisions, identifying who does what, and discovering gaps in your plan. No systems are touched. It's done in a conference room in 2–3 hours. It matters because reading a plan and executing a plan under pressure are completely different things. Tabletops build the muscle memory your team needs when the real thing happens.

How is an IR retainer different from just calling a company when something happens?

Without a retainer, you're calling cold during a crisis — negotiating terms, signing contracts, explaining your environment, and waiting for availability while the attacker is still active. With a retainer, your environment is pre-documented, response teams are pre-assigned, SLAs are pre-agreed, and rates are pre-negotiated. The difference is response in hours versus response in days.

Do we need our own forensic tools?

Not necessarily. If you have EDR deployed (CrowdStrike, SentinelOne, etc.), that provides significant forensic capability. For deeper investigation — disk forensics, memory analysis, network forensics — our IR team brings the tools. What you do need: centralized logging, backup integrity, and the ability to isolate systems quickly. Those are the capabilities that determine whether an incident is containable.

Should we involve legal counsel in IR planning?

Absolutely — and before an incident, not during one. Breach counsel should be engaged during plan development to ensure evidence preservation procedures protect attorney-client privilege, notification obligations are mapped correctly, and regulatory reporting timelines are built into the playbooks. We work with your existing counsel or can recommend experienced breach attorneys.

How often should we update the IR plan and run exercises?

Plan updates: semi-annually, or whenever significant infrastructure, personnel, or regulatory changes occur. Tabletop exercises: annually at minimum for compliance, semi-annually for organizations with higher risk profiles. Contact verification: quarterly — because phone numbers change, people leave, and the last thing you want during an incident is a disconnected number on your escalation list.

Case Study

750-Staff Nonprofit Health Organization

Consolidated IT operations and improved quality without business interruption.

Read Case Study

Ready to Get Started?

Schedule a free consultation to discuss your project scope.

Schedule Free Assessment ← Back to All Services